step-security/secure-repo

Secure-by-default templates

varunsh-coder opened this issue · 1 comments

In addition to fixing GitHub Actions workflows and Dockerfiles, we should also plan to show secure-by-default templates for common scenarios.

  • GitHub Actions for publishing scenarios that use OIDC, minimum token-permissions etc
  • Dockerfiles for common scenarios with security best practices implemented
  • OpenSSF SLSA Generator, recently released npm provenance generator

We can expand to secure-by-default templates for other as code files, Terraform/ CloudFormation etc in the future.

We could also auto-generate reusable workflows based on an organization's current workflows.